Executive Summary: On November 8th, an internal SEC investigative report was made public that exposed rampant misuse and lack of protection on computers. The report claims that one million dollars was spent on unnecessary technology. Furthermore, many computers that contained sensitive stock information were not encrypted. Some devices were not even equipped with basic antivirus software. "While they were using unencrypted laptops themselves, they were recommending to the (exchanges and clearing agencies) that they encrypt their laptops," Rymer [SEC Interim Inspector General] wrote in his report, which is dated August 30." To add insult to injury, it was strongly suggested that members may have taken these devices to a hacker awareness convention. Employees of the SEC were even surveyed and admitted to taking the devices home for personal use. It is worth mentioning that this report was confined to only the Trading and Markets Division.
Analysis: It appears that the SEC definitely did not comply to the FISMA guidelines in this particular branch. Mainly it appears that there is no strong central IT security in place. There should be controls in place that would necessitate IT approval for any technology spending. HR should have stricter punishments for any IT discretions that arise. But even steps as simple as properly configuring network acccess controls. While the IT audit did eventually turn up these material weaknesses in the IT system, it should be said that the audit process should have turned up these discrepancies before they grew to such a tremendous level. For dealing materials that could potentially worth billions of dollars, one would think computer security would be a higher priority.
"While they were using unencrypted laptops themselves, they were recommending to the (exchanges and clearing agencies) that they encrypt their laptops," Rymer [SEC Interim Inspector General] wrote in his report, which is dated August 30." To add insult to injury, it was strongly suggested that members may have taken these devices to a hacker awareness convention. Employees of the SEC were even surveyed and admitted to taking the devices home for personal use. It is worth mentioning that this report was confined to only the Trading and Markets Division.
Analysis: It appears that the SEC definitely did not comply to the FISMA guidelines in this particular branch. Mainly it appears that there is no strong central IT security in place. There should be controls in place that would necessitate IT approval for any technology spending. HR should have stricter punishments for any IT discretions that arise. But even steps as simple as properly configuring network acccess controls. While the IT audit did eventually turn up these material weaknesses in the IT system, it should be said that the audit process should have turned up these discrepancies before they grew to such a tremendous level. For dealing materials that could potentially worth billions of dollars, one would think computer security would be a higher priority.